CVE-2020-9006SQL Injection in Popup Builder

CWE-89SQL InjectionCWE-502Deserialization of Untrusted Data3 documents3 sources
Severity
9.8CRITICALNVD
EPSS
41.3%
top 2.60%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Sygnoos Popup Builder
Timeline
PublishedFeb 17
Latest updateMay 24

Description

The Popup Builder plugin 2.2.8 through 2.6.7.6 for WordPress is vulnerable to SQL injection (in the sgImportPopups function in sg_popup_ajax.php) via PHP Deserialization on attacker-controlled data with the attachmentUrl POST variable. This allows creation of an arbitrary WordPress Administrator account, leading to possible Remote Code Execution because Administrators can run PHP code on Wordpress instances. (This issue has been fixed in the 3.x branch of popup-builder.)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

NVDsygnoos/popup_builder2.2.82.6.7.6

🔴Vulnerability Details

2
GHSA
GHSA-7w63-rpf8-69q7: The Popup Builder plugin 22022-05-24
CVEList
CVE-2020-9006: The Popup Builder plugin 22020-02-17
CVE-2020-9006 — SQL Injection in Sygnoos Popup Builder | cvebase